[5685] in Kerberos
Re: Preauthentication
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Aug 11 18:46:41 1995
To: Glenn Machin <gmachin@sahp044.sandia.gov>
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "Fri, 11 Aug 1995 15:07:44 MDT."
<199508112115.PAA28795@sass165.sandia.gov>
Date: Fri, 11 Aug 1995 18:36:35 EDT
From: Sam Hartman <hartmans@MIT.EDU>
>>>>> "Glenn" == Glenn Machin <gmachin@sahp044.sandia.gov> writes:
Glenn> I thought the padata being set to a timestamp with some
Glenn> randomness attached, was useful in that it prevented
Glenn> someone from getting someone elses tgt and breaking the
Glenn> encryption at leasure. With an encrypted padata, the KDC
Glenn> could determine whether or not the requestor actually knew
Glenn> the password, and do blacklisting if need be. OSF DCE
Glenn> security server (1.1) uses it. Why didnt MIT at least ifdef
Glenn> that area?
As I understand it, the code to do this will eventually be
written. It hasn't been checked into the tree yet. Honestly, it
isn't that useful in most realms today because you need to support v4,
and an attacker can grab all the v4 tickets they want.
Also, it's nice as a user to be able to only be prompted for a
password if a ticket is received. (I realize several kinit versions
out there don't do this, but it is possible).
Finally, an attacker can always grab padata as people kinit,
although this is somewhat more difficult than the attacker actively
requesting tickets. The real answer is to have good passwords and possibly
hardware preauth.
--Sam
